Meet the New Boss: Context on Cybersecurity and US Federal Leadership

Applauding the appointment of seasoned cybersecurity policy experts is a premature celebration. Those who follow, and the nature of their agenda, will be a better indicator of how successful the incoming administration will be with regards to safety and security in cyberspace.

By now you’ve heard the names of those who will be leading the charge for cybersecurity issues in the incoming administration. You know they can do the job, and as much as a jaded veteran of this space dare dream, confidence remains high.

But we’ve been here before. These reputations are hard fought at won, but it is largely because of the fights, not the victories. Our weapon of choice for dealing with malicious activity online is still a law first passed in 1986. We have an entire military command dedicated to ‘fighting’ online, but the flail of the day is rooted in activity no amount of martial muscle can combat.

Exuberance at the potential of what may come is tempered by the fact that “cyber” is what we do when we’re not shooting at people, or mother nature isn’t kicking large swaths of the country in the face. Today it’s Solarwinds, yesterday it was Solar Sunrise. A $10B investment here is an echo of a multi-billion dollar investment there. We’ve been here before, and all the king’s horses have yet to shift things significantly in the right direction.

If hope springs eternal, it is only because we take the time to envision what a better tomorrow looks like. To that end, herewith some signals that may indicate the next four years won’t draw comparisons to Groundhog Day:

Nerd Count. The appointment of lawyers, policy wonks, and political cronies to top positions in government is never going to stop. While it’s clear the selectees in this space fit the qualitative bill, we’ll have a better idea of how well things will develop based on how many technical experts fill out deputy and second-tier positions. If you ever wondered why so many cybersecurity policies and proposals seem to fly in the face of physics, it’s largely because of the lack of technical chops in the upper echelons of decision-making.

Novel Thinking. The fact that someone unironically said ‘Cyber Pearl Harbor’ in the news the other day tells you that we’re still a field dominated by people who both aren’t paying attention, and are stuck imagining legacy futures. Cold War-think and the half-baked ideas of amateur military historians are not doing us any favors. Proposals that are devoid of martial analogs are a reflection that serious thought is being applied.

Focus on the Fundamentals. While epic hacks garner headlines, the real work of cybersecurity is routine, ugly, and dirty. There is no glossing over the fact that it’s digital janitor work, dressed up in silly threat actor labels and blinky boxes. Just like there is no magic weight loss pill, and everyone doesn’t actually get better looking at closing time, improving security is boring and efforts to improve it grunt work. The more efforts that focus on systemic issues that take the human (notoriously unreliable when it comes to doing the right thing) out of the loop the better.

Bilateral Action. “Magna Carta.” “Bill of Rights.” A year rarely goes by without someone trying to superimpose some political framework onto cyberspace to cure what ails us. Everyone apparently forgetting that there is almost no universal agreement on every right or wrong. Ask anyone who works on the illicit images problem how many nations there are that haven’t made such practices, much less possession, illegal. The rapid identification of “those like us” and the adoption of agreements for center mass issues is how you eat the international diplomatic elephant (one bite at a time).

Ordinary Not Special. As I stated earlier, cybersecurity is what we care about when there is nothing else to care about. Progress requires a sustained level of interest and effort. This means making cybersecurity a part of every day’s agenda if we’re going to acquire policy-proficiency, and maintain a top-of-mind position in the people’s business. It doesn’t have to be the most important thing, but it has to be a thing because our relationship with technology is only getting more intimate.

Thirty years in the field has taught me to maintain a level of hope, but to not get too worked up about transitions and talk of change. Everyone is all talk until they sit down in the chair and begin to understand exactly what it takes to govern. Campaign slogans are aspirations, not foregone conclusions, which is why we’re still in Afghanistan, GITMO is still a thing, and we can’t figure out how to ensure getting sick won’t drive you into bankruptcy.

The incoming administration deserves our respect and support, and we should judge them on how far they can advance the ball, not necessarily how often they score. But if we start to see a lot of screen plays and 3 and out series, we’ll know the state of cybersecurity in 2024 won’t be that much better than it is today.